Forum Discussion

Silver Contributor

Oct 21, 2019

Solved

O365 Malware report data to Sentinel

Does anyone know how to get data from the O365 Security and Compliance center report dashboards into Sentinel? specifically the Malware Detection data

microsoft 365

security

Nicholas DiCola (SECURITY JEDI)
Oct 28, 2019
Dean_Gross

right now O365 connector gets Onedrive, Sharepoint and Exchange events only. we plan to expand to other O365 events.

In the short term, you could use a logic app to pull the O365 API events into Log Analytics.

Nicholas DiCola (SECURITY JEDI)

Former Employee

Oct 28, 2019

Dean_Gross

right now O365 connector gets Onedrive, Sharepoint and Exchange events only. we plan to expand to other O365 events.

In the short term, you could use a logic app to pull the O365 API events into Log Analytics.

Dean_Gross

Silver Contributor

Nov 13, 2019

Nicholas DiCola (SECURITY JEDI) thanks for the suggestion, but I'm not seeing any events in the O365 APIs that are related to the malware reporting data. can you provide me some details about how this can be accomplished?

Nicholas DiCola (SECURITY JEDI)
Former Employee
Nov 13, 2019
Dean_Gross

Alerts are documented in the schema here. https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#security-and-compliance-alerts-schema

Looks like audit log has two entries for ThreatIntelligence

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32

One for Exchange ATP, and one for Onedrive/SP/Teams ATP